Data Security Compliance Risk Without Compliant Vendors?

Data Security ComplianceHow to Ensure Vendor Compliance

Data security compliance regulations are designed to help companies ensure the integrity, security and availability of the sensitive data they handle. Organizations must comply with these rules and guidelines to protect their systems and data from security breaches and other types of risks.

With the tremendous amount of data handled and stored by companies, being data compliant is a critical requirement for all businesses. Sensitive digital assets in the form of financial information and personally identifiable details need to be secured from theft, loss and misuse.

Compliance Regulatory Bodies

There are now several industry standards, state or federal-level laws, and even supra-national regulations all businesses need to comply with, depending on the extent of their operations or coverage.

These include the European Union’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act of 2002 (SOX — more on financial reporting), and the California Consumer Privacy Act (CCPA), which took effect this year.

The reality is, non-compliance fees and fines for data breaches can prove substantial — not to mention the negative effect of bad publicity on brand reputation.

The Importance of Vendor Compliance

But what happens if you, the client or business, are 100 percent compliant but you cannot say the same — with confidence — about your vendors?

For example, some firms that accept credit card payments use third-party services to process card payments. In this all-too-common scenario, it’s still the responsibility of the merchant to ensure the safety and security of all credit or debit card data it collects, transmits or stores.

If your company is compliant, but you find out that one of your vendors got a spear-phishing email attack, what would you do? Such an event will not only bring to question your ability to protect your data assets but also your level of data security compliance with data regulations.

To avoid this unfortunate scenario, vendor risk management and vendor compliance with standards set by regulatory bodies such as the National Institute of Standards and Technology (NIST), Health Information Trust Alliance (HITRUST), and PCI need to be ensured and documented.

Ensuring Compliance Through Vendor Risk Management

The increasing complexity of relationships between clients and third-party partner companies implies that vendor management will continue to evolve as a process. However, there are steps you can take to clarify your business relationship with your vendors and ensure data security compliance with data protection laws and regulations.

  • Conduct risk assessments of individual vendors. Categorize or classify each vendor based on the service they provide and the data/systems they have access to, as well as the risk their own supply chains pose to your business.
  • Clarify vendor performance metrics. Before establishing a long-term relationship with any vendor, make sure you clearly define what key performance indicators (KPIs) they need to address and fulfill, especially in relation to cybersecurity.
  • Come up with clear, specific agreements. Contracts and agreements must clarify risk tolerance and how risk pertains to your business and relationship. Based on the set KPIs, define clear guidelines on what amounts to non-compliance and what factors can lead to the termination of your business relationship. Require each vendor to secure their own environment and comply with regulations governing their business or industry.
  • Require clear and rapid communication. There needs to be a clear line of communication in the entire supply chain, including with the vendors of your own vendor.

Consider these tips in securing your data assets and in establishing a relationship of mutual trust with your vendors.

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.